Issue with _delete_by_query

afassl · April 5, 2019, 1:37pm

Hi,
we've encountered a kind of strange issue and solved it by a workaround, but not sure, if the issue is caused by a bug or the request string.
We've had to delete certain entries from an index, according to the documentation the query has to look like this:

curl -XPOST "http://kibana.company.com:9200/_delete_by_query" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-04-05",
"gte": "2019-04-04",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
But this call throws an error:
{"error":"Incorrect HTTP method for uri [/_delete_by_query] and method [POST], allowed: [HEAD, PUT, GET, DELETE]","status":405}

But the corresponding search query is fine:
curl -XGET "http://kibana.company.com:9200/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-12-31",
"gte": "2019-01-01",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
and delivered as expected 2800 entries.

we've only been able to get the delete done, by adding the index into the the URI
curl -XPOST ’http://kibana.company.com:9200/xxx-6.5.4-error-date/_delete_by_query
and to execute it per day.

We are currently running elastic 6.3. But I'm assuming this is not related to the version.

Any idea?

Best regards

BenTrent · April 5, 2019, 2:00pm

Heya @afassl!

_delete_by_query requires the index patterns to be included in the url.
curl -XPOST "http://kibana.company.com:9200/my-index/_delete_by_query" should work.

elasticforme · April 5, 2019, 2:07pm

I just tested this and it worked. I had 73,000 document count which got deleted.

curl -XPOST "http://elkm01:9200/metricbeat_sysstat_2019/_delete_by_query?conflicts=proceed" -H 'Content-Type: application/json' -d'
     {
       "query": {
         "range": {
           "@timestamp": {
             "gte": "01-01-2019",
             "lte": "02-01-2019",
             "format": "MM-dd-yyyy||yyyy-MM-dd||yyyy||yyyy-MM"
           }
         }
       }
     }'

afassl · April 5, 2019, 3:43pm

Thanks a lot - so - a feature - not a bug.

Last question - possible to use a wildcard in the index? Not sure if this will be parsed, as we've already removed the data - can't test that

But again - thanks a lot

Best regards
Andreas

elasticforme · April 8, 2019, 2:47pm

yes you can use wildcard in query and delete the data

system · May 6, 2019, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.